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What is LEVITATION? 

A behaviour-based target discovery project 
Multi-disciplinary team 

Prototyping and delivering advances in: 

• Behavioural tradecraft 

• Hypothesis tradecraft 

• Tradecraft automation 



TOP SECRET//SI//REL CAN, AUS, GBR, NZL, USA 




Current Hypotheses 



Active 

FFU 




Sequential numbers 
Obvious selector names 
Web search terms 



In Development 

GPS waypoints 
Devices close to places 
Telephony gaps 




Targets of foreign SIGINT 
agencies 

Missed calls 
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FFU Hypothesis 

Extremists use Free File 
Upload (FFU) sites 
differently than the general 
public. 

Al-Qaida uses FFU sites to 
distribute Jihadist propaganda 

Extremists use FFU sites to 
distribute training materials 
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What do we need? 

A list of suspect documents 
A list of FFU URLs referring to those documents 
A list of IPs downloading those URLs 

New documents are found by CWOC (CSEC Web 
Operations Centre) retrieval from URLs, so 
that's the easy part. 
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New URLs 



CSEC's web forums team 
2 nd Party reports & alerts 
Machine Learning 

Learning the textual 
context for the URLs in 
web forums 

HTTP Referrers 

Follow URL referrers back 
to the originating site 



Previous Correlations 
analysis 

Using tech techniques to 
figure out what else that 
user was up to at the 
same time 

e.g. Google analytics 
cookies 







Get STALKER Hostnames Sffhg operations Build SQL for STALKER Referers Dummy 1 Query FFU for STALKER Referers Tollnit 



I T Gen^ffiti 













r 




£3 t£li t 


vrr&t 





Select values 2 



Filter out h^vy h iters 



Selectjvalues IP Geo and Network Info 




FFU Re q u e sts M aste r Li st Re m ove s p ace s 



Mail New URLs 



Get Variables 



Output new URLs 
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FFU Events Collection 



ATOMIC BANJO (Special Source) is collecting HTTP 
metadata for 102 known FFU sites. 




We see about 10-15 million FFU events per day 
All the FFU Events are available thru OLYMPIA 
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Looking for a few good documents 



We only care about the 2,200 URLs 
that point to documents of 
interest. 



e.g. How to make a gas bomb 



www.sendspace.com/file 




Every day we sort through the 10- 
15M events for the interesting 
ones. 



We're finding about 350 interesting 
download events per month. 




(jjjll JU-ol 
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] 

Documents vary 




Chloroform in a Lowes bucket Bajadin Explosives Manual 



And lots of pictures of cars on fire 






Filtering out Glee Episodes 



s 



A 



xft 



Create HTTFLRUNE SQL Dummy 1 Queiy HT"P_RLINE ,/TCInit 



a 






Ii 



Geo Sortb/time 



Master List Extremist Documents URLs 




Get URL Length 



1 / 

X 



4 * 

^teUTC^ato 



* 






A 



Convert String IPs Master FFU Hits Add constants Stream lookup 










Create HTTP_LOCATION SQL Dummy 2 Queiy HTTP_LOCATION 



E 




Jf 

•^Filter 



rows'- 



□ 



Processed FFU records 



New FFU records 
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Resulting events 



FFU Hits 




-- » * 


Computer ▼ shares (Wcorp) (R:) ▼ Share_l ▼ Levitation ▼ FFU ▼ FFU Hits ▼ 


- gj | Search FFU Hits 


mi 


File £dit View Tools Help 



H - JJ # 



'k Favorites 
WL Desktop 
,j|. Downloads 
^ Recent Places 

■ Desktop 
Libraries 
f Documents 
J' Music 
in Pictures 
9 Videos 

imm 

Computer 
^ Windows (G) 

£ DVD Drive (D:) 

St - H^^B\\corp\users\csec_users) (Hr) 
shares (\\corp) (RO 
gj)| Reserved 
r£t Share_l 
& Share_2 
G& Share_3 
& Share_4 
Q& Share_5 
Q^t Share _6 
G& Tempshare 

apps (\\corp\groups\sigint) (S:) 

^ Network 
^ Control Panel 
•£ Recycle Bin 
[3] CERRID DM Extension 
SQL Developer 
£ XMind 

QQ sqldeveloper-31.06.82 



Type 



01-20-2012 FFU Hit Selectoi 

PH# fr>IH#r 



P- 01-20-2012 FFU Hit Selecto 



k 01-20-2012 FFU Hit Select! 

*. 01-20-2012 FFU Hrt Select! 

M. 01-21-2012 FFU Hit Select! 
i. 01-21-2012 FFU Hit Selecti 
M 01-21-2012 FFU Hit Select, 
fc. 01-22-2012 FFU Hit Selecti 
k 01-23-2012 FFU Hit Select, 
jt 01-25-2012 FFU Hit Selectoi 
k 01-27-2012 FFU Hit Selectoj 
Jt 01-28-2012 FFU Hit Select. 

M 01-31-2012 FFU Hit Selecti 
h 02-01-2012 FFU Hit Selecti 
Jt 02-02-2012 FFU Hit Select. 
k 02-06-2012 FFU Hit Select! 

£ 02-13-2012 FFU Hit Selecti 
J, 02-13-2012 FFU Hit Selecti 
J, 02-14-2012 FFU Hit Select. 

■ 02-15-2012 FFU Hit Selecti 
k 02-17-2012 FFU Hit Selectoi 
k 02-18-2012 FFU Hit Selectoi 
J( 02-20-2012 FFU Hit Select! 

J. 02-22-2012FFU Hit Select! 
t 02-24-2012 FFU Hit Selecti 
k 02-28-2012 FFU Hit Select! 
j 02-28-2012 FFU Hit 
it 02-28-2012 FFU Hit Selecti 
it 03-01-2012 FFU Hit 
M. 03-03-2012 FFU Hit Select, 
it 03-03-2012 FFU Hit Select! 
b. 03-04-2012 FFU Hit Select, 
it 03-07-2012 FFU Hit Selecti 
£ 03-07-2012 FFU Hrt Selecti 
it 03-10-2012 FFU Hrt Selecti 
it 03-16-2012 FFU Hrt Select, 
it 03-20-2012 FFU Hit Select. 

® ] FFU From Mathieu 

Date modified: 06/03/2012 10:27 A 

Offlin# avail* hi Irtv Nr»t avail* hi# 



>1 



Iraq 

ludi Arabia 
emen 

ccupied Palestinian Territory 
tudi Arabia 

Occupied Palestinian Territory 



Occupied Palestinian Territory 
ia 

IS 




06 / 03 / 2012 10 : 27 ... 



06/03/2012 8:32 AM 
07/02/2012 12:15 ... 
19/03/201211:47 ... 
08/03/2012 10-36 ... 
10/02/2012 1:41 PM 
07/02/2012 12:15 ... 
09/02/2012 10:41 ... 
06/03/2012 1230 ... 
06/03/2012 1238 ... 
09/02/2012 10.54 ... 
05/03/2012 1036 ... 
05/03/2012 10:36 ... 
07/02/2012 1217 ... 
08/03/2012 935 AM 
23/03/2012 10*>2 ... 
08/03/2012 932 AM 
05/03/2012 1037 ... 
22/03/2012 1235 ... 
09/03/2012 837 AM 
05/03/2012 1:16 PM 
09/03/2012 835 AM 
09/03/2012 834 AM 
09/03/2012 9:50 AM 
09/03/2012 2:26 PM 
20/03/2012 933 AM 
20/03/2012 933 AM 
22/03/2012 12:45 ... 
22/033012 118 PM 
27/03/2012 1039 ... 
22/03/2012 1:29 PM 
27/03/20121238 ... 
28/03/2012 11:07 ... 
28/03/20121113 ... 
28/03/2012 1.09 PM 
29/03/20121118 ... 
09/03/2012 302 PM 



File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
File folder 
Microsoft Excel W... 



4 



Offline status: Online 
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— — — | 

Start analysis with event info 



FFU hit from selector 
7/03/2012 7:46:51 geolocated to Kenya, 
accessing The Explosives Course through 
FFU site sendspace.com with HTTP user 
agent Mozilla/5.0 (Ubuntu; Xll; Linux 
x86_64; rv:9.0.1) Gecko/20100101 Firefox/ 
9.0.1 
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Correlating other selectors with the IP 



7/03/2012 7:46:51 geolocated to Kenya, 
accessing The Explosives Course through 
FFU site sendspace.com with HTTP user 
agent Mozilla/5.0 (Ubuntu; XU; Linux 
x86_64; rv:9.0.1) Gecko/20100101 Firefox/ 
9.0.1 



FFU hit from selector 



on 



* 



( (j Can we correlate any other selectors with this IP address? 



Mutant Broth query on IP) 



for 5 hours on either side of 7/03/2012 7:46:51 



682 events including 77 with an exact match of the user agent above yielding 
a Facebook ID HHHa Google Prefid CookieHHIHBan 





FFU Hit Selector HHHRforch 7, 2012. Mutant Broth query..xlsx 8] 

■ — — - 



L 
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Correlating Facebook cookie 



FFU hit from selectorMHon 
7/03/2012 7:46:51 geolocated to Kenya, 
accessing The Explosives Course through 
FFU site sendspace.com with HTTP user 
agent Mozilla/5.0 (Ubuntu; Xll; Linux 
x86_64; rv:9.0.1) Gecko/20100101 Firefox/ 
9.0.1 



Open Source research indicates 
that the user of Facebook ID 
■^■s based in Dubai, 
United Arab Emirates 

.> — y 



-uii- 



Marina Profile Query on Facebook User Cookie| 



Observed in Mutant Broth Query above 



- Lots of events mcludingiegistTation email addressj^jgmail.com and Facebook name! 



Can we correlate any other selectors with this Facebook ID Cookie? 







-FFU H;t Selector® 


B^arch 7, 2012. Marina Profile Query on Facebook ICHHHdsx i] 



U Mutant Broth Sub-Query on Facebook User Cookie I 



bbserved in Mutant Broth Query above 



946 events with 893 matching exactly the user agent above 



- FFU Hit Selector! 



■March 7, 2012. Mutant Broth Sub-Query on Facebook ID| 



|sxi]: 
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IP Correlation 



O FFUHits Analysis, kjb 5$ MUTANTBROTHTDIs.ktr £3 

► ■ ■ t). %• I? ^ % <$> B : 



I Hide the execution results pane | 



*r 

i/c 1 r r\ m raei ilt 












Vo llUlil IcbUll 


► — jHj— — 


Q C> 

▼ 

i 1 


^ 






2h 



Multi-Threads Cut justification to 150 chars MUTANXBROTH Filter Erruity Result MBRawResults Sort by Sequence Group TDIs/User-Agents 



TAKj^l 



JL 



Error Handling Ignore Empty Result 



Calc Co lfidence 









£ 



MB TDIs Sort by Confidence Filter on User-Agent Different U.-A. 



Groups 




■■Rs: 

S Mozilla/4.0 (compatible; MSIE 8.0; Wir 

— I I 



Document JJnk 
archive . org/almapl . mp4 
archive . org/almapl . mp4 
archive . org/almapl . mp4 
archive . org/almapl . mp4 
archive . org/almapl . mp4 
archive . org/almapl . mp4 
archive .org/almapl . mp4 
archive . org/almapl . mp4 
ardwe.org/almapl .mp4 
archive . org/almapl . mp4 



Document Jltle/Description 
German hostage video 
German hostage video 
German hostage video 
German hostage video 
German hostage video 
German hostage video 
German hostage video 
German hostage video 
German hostage video 
German hostage video 



EVENT_TIMEST AMP ACTIVITY DATE 

Wed Mar 28 18:32:32 GMT 2012 2012-03-28T18: 18:00Z 

Wed Mar 28 18:32:32 GMT 2012 2012-O3-28T18:18:00Z 

Wed Mar 28 18:32:32 GMT 2012 2012-03-28T18:18:17Z 

Wed Mar 28 18:32:32 GMT 2012 2012-03-2ST18:18:17Z 

Wed Mar 28 18:23:42 GMT 2012 2012-03-28X18:09:27Z 

Wed Mar 28 18:23:42 GMT 2012 2012-03-28T18:09:27Z 

Wed Mar 28 18:23:42 GMT 2012 2012-03-28T18:18:00Z 
Wed Mar 28 18:23:42 GMT 2012 2012-O3-28T18:18:00Z 

Wed Mar 28 18:23:42 GMT 2012 2012-03-28Tl8:18:00Z 

Wed Mar 28 18:23:42 GMT 2012 2012-03-2ST18: 18: 17Z 
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Automated analysis documentation 
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What happens then? 



Compare control and experimental groups to 
show statistical differences 

Analyse experimental group to determine 
statistical power of the hypothesis 

Assemble selectors across all hypotheses 

Rank selectors according to the number and 
power of the hypothesis behaviors they show 

Deliver an ordered list of suspects to OCT 



Personae 
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■■■■■ 



Scoreboard 

Hypotheses 

FFu m mu imu 



Weights 


0.6 


0.55 


0.52 


0.48 






PI 


4 


2 


0 


4 






5.42 


P2 


4 


4 


II 


1 






5.08 


P3 


4 


1 


H 


4 






4.87 


P4 


I 3 


4 


1 


0 






3.14 
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Successes 



An HTTP-referred URL gave us a German 
hostage video from a previously unknown 
target. 

An u P |oad event § ave us an 

AQIM's hostage strategy. The resulting report 

was disseminated widely including by the CIA 

to their counterparts overseas. 
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The End 



Team Lead: 





@ cse-cst.gc.ca) 



Tech Lead: 





cse-cst.gc.ca) 



Me: 



( 





@ cse-cst.gc.ca ) 





